ON THE CORRESPONDECE BETWEEN SUPERSINGULAR 
ELLIPTIC CURVES AND MAXIMAL QUATERNIONIC ORDERS 



JUAN MARCOS CERVINO 

Abstract. We present a deterministic and explicit algorithm for the compu- 
tation of the endomorphism rings of supersingular elliptic curves. Given any 
prime characteristic p, the algorithm returns a list of pairs [E, {1, ei(E), ei(E), 
63(E)}) for all supersingular elliptic curves E over F p , where the second coor- 
dinate is a base of Endp— (E) <g) Q. 

We will give at the end a table of supersingular elliptic curves with their re- 
spective endomorphism rings, resembling Deuring's table |1| 257-258] . 



1. Introduction 

In this section we fix notation and state well known results concerning elliptic 
curves over finite fields. 

Let k be a finite field with q = p d elements (p prime), E an elliptic curve in 
P 2 (/c), given by: 

(1.1) y 2 + a\xy + a%y — x 3 + a^x 2 + &4 + a^; with the a$'s G fc; 

plus the only point PO of the curve laying on the line at infinity. This curve E 
is said to be defined in k, and we will denote this by E/k. Fix PO as the neutral 
element of the group structure of E. 

The curve E is called supersingular if it satisfies the following equivalences (see 
PI! or OH): 

Theorem 1.1. Let E/k be an elliptic curve, and denote [A] the isogeny multipli- 
cation by A, with kernel E[X] (not to be seen as group scheme, rather as the group 
of points of "order" X). Then the following are equivalent: 

(1) E[p r ] = Ker([p r ]) = for one and hence for all r > 1. 

(2) The map [p], is purely inseparable and j{E) £ ¥ p 2. 

(3) Endj:(i?) is a non- commutative order. 

(4) the function field k{E) has no cyclic (separable and unramified) p- extensions. 

In general, the endomorphism rings of elliptic curves are: 

• Z, 

• an order of an imaginary quadratic number field, 
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• a maximal order of a quaternion algebra over Q. 

The last case can only occur when the field of definition has characteristic p > 
and after Ijl.lD when the elliptic curve is supersingular. This last assertion was 
proved in |o], moreover he shows there that the quaternion algebra is exactly Qoo,p, 
the only quaternion algebra (up to isomorphism) over Q ramified only at 1 and 
p. In he proved indeed that all maximal order types of this algebra Qoo,p 
appear as endomorphism rings of supersingular elliptic curves over F p 2 , and that 
the number of those was exactly the type number of Qoo,p, resulting hence a one to 
one correspondence between the maximal types of this quaternionic algebra and the 
supersingular elliptic curves (up to isomorphism) defined on fields of characteristic 
V- 

In this article we study this correspondence and give an algorithm to effectively 
determine it. 



2. Arithmetic in quaternion algebras and ternary quadratic forms 

A quaternion algebra 21 over Q is a central simple four dimensional Q-algebra 
and we will always have in mind Qoo jP for some prime number p (we refer \7\ 
and |13| for basic notions on algebras and their arithmetic). As usual, tr and nr 
denote the (reduced) trace and (reduced) norm respectively. An order of 21 is a 
subring containing Z, which is also a finitely generated free Z-module of rank 4. 
We are interested in those orders which are maximal under inclusion, and call them 
maximal orders or simply orders. 

Definition 2.1. Let O and O' be two (maximal quaternionic) orders in 21. They 
are of the same type when 3a G 21 with nr(a) ^ such that: 

O = oT l O'a. 

By i(2l) we denote the number of different types in 21 and call it the type number 
of the algebra. 

Let O be any quaternionic order, then one can make arithmetic on that order 
(by studying left (right) O-ideals), and in particular one defines the class number 
of it: h(0). The most basic theorem on the arithmetic of quaternion algebras may 
be the following: 

Theorem 2.2 (Brandt). The class numbers and the type numbers are finite, and 
t (21) < h{0), for any order O in 21. Moreover, if '21 = Qoo.p one has that all class 
numbers are the same for all (maximal) orders, and hence we can speak about the 
class number of the algebra, denoted by /i(Qoo.p) = h p , o,nd denote the type number 
t p as well. 

Indeed he gave also a formula to compute the class number, a special case of 
Eichler's formula (in [S]), formulated in greater generality. The type number for the 
special case of our quaternion algebras was computed in [^j and for Eichler orders 
(in particular our maximal ones) of quaternion algebras over totally real number 
fields in jT2J. 
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2.1. Brandt-Sohn correspondence. We may refer the reader for any not ex- 
plained basic definition on the theory of quadratic forms either to [H] or to 
All the ternary quadratic forms we are going to work with are integral and positive 
definite. In .2,, Brandt constructed maximal orders from ternary lattices via even 
Clifford algebras. His idea was then exploited by W. Sohn in his thesis ^7] where 
he proved the following: 

Theorem 2.3. |171 Satz 5.1] There exists an explicit bisection between the classes 
of ternary quadratic forms of discriminant —p and the order types of the quaternion 
algebra Qoo.p- 

In modern language, we find the explicit formulas to compute this correspon- 
dence for example in For any ternary quadratic form /, we use the Seeber's 
notation (see pQ): 

(2.1) / = ",..V,.V ; . a tJ e Z, 

l<i<j<3 

will be represented by: 

(an a 2 2 a 33 \ 
a-23 ai 3 ai2 ; 

where r 1 is the number of automorphic transformations of the quadratic form /, 
which is a divisor of 24 (not 3). The numbers Ni := an, N2 '■= 0,22, N3 := 033 will 
be called succesive minima of /. 

Already Gaufi knew how to associate a lattice to a ternary quadratic form: 
J«Aj. Brandt associated further to any ternary quadratic space an order in a 
quaternion algebra: A Oa C 21 = 0a <8> Q< Altogether, any ternary quadratic 
form gives rise to an order in a quaternion algebra over Q: 

/ - Coif), 

where Co(/) is the well known even Clifford algebra of /, with basis {1, e\, 63} 
satisfying the following equations: 

2 _ _ 

(2.3) eiCj = a kk (aij - e k ), 

ejCi = a lk e x + a 2k e 2 + a 3k e 3 - a ik a jk , 

with (i,j,k) any even permutation of {1,2,3}. In this way, once we have a com- 
plete list of representatives of all equivalence-classes of ternary quadratic forms of 
discriminant — p, we can write down explicitly the Z-basis of representatives of all 
different order types in Qoo, p . 

In order to effectively compute a representative of each equivalence class of 
ternary quadratic forms of discriminant — p, one follows the same idea that for 
binary quadratic forms, namely defining what's called a reduced ternary quadratic 
form; in such a way that two different reduced ternary quadratic forms should not 
be equivalent. 



This information will not be needed before we state the algorithm, and hence may not be 
always written. 
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Definition 2.4. A ternary quadratic form / like in l|2.2|) is reduced iff 

(1) /(x) > a a Vi = 1,2,3 and Vx G Z 3 with gcd^, . . . , x s ) = 1; 

(2) a 12 > 0, a i3 > and (a 12 = V a 13 = 0) => a 23 > 0; 

(3) an = a 22 => |a 23 | < a i3 ; 

(4) a 22 = a 33 =>• a i3 < a i2 . 

We refer the reader to ^Hj for an explicit algorithm to compute them. As a 
consequence of the Mahler-Weyl and the Minkowski's inequalities (see j20J), one 
obtains in our particular case the following so called fundamental inequality: 

(2.4) 011022033 < 2d. 

Then pasting this algorithm with the equations l|2.3|l above, we are able to ex- 
plicitly compute a basis of all different order types of Qoo,p- 



3. A RESULT OF VELU 

In this section we recall a result of Velu, which is used in the algorithm to con- 
struct separable isogenies of a given degree on an elliptic curve. 

Since we are interested in the correspondence between supersingular elliptic 
curves and their endomorphism rings we can suppose that p > ll 2 . The rea- 
son is that the class number of the quaternion algebras ramified at oo and at 
p G {2,3,5,7} is one (see for instance 53 )> an d hence the type numbers must be 
also t 2 = < 3 = t 5 = <7 = 1 by . 

We set k = ¥ p d, and give any elliptic curve E/k. Pick a (finite) rational subgroup 
G C E(k). Hence we have the following isogeny between elliptic curves: A : E — > 
E/G. With this notation the following holds: 

Theorem 3.1. |19| Once the equation of E and all the elements of the subgroup 
G are known, there exists a closed formula to compute the equation of the isogeny 
A and the defining equation of the quotient E/G. 

Remark 3.2. In particular, given any positive integer I ^ p one can construct all 
separable endomorphisms of degree I, just by finding explicitly all subgroups of 
E of order t, and then constructing the corresponding isogenies to the quotient. 
This quotient will be again an elliptic curve, since the projection morphism is finite 
separable and unramified, therefore by the Hurwitz's formula the genus of the two 
curves must be the same. Since one obtains also the equation of the quotient, we 
can compute in particular it's j-invariant. Then we compare it with the j-invariant 
of the original elliptic curve E, and then the isogeny will be an endomorphism if 
and only if both invariants coincide. 

4. The algorithm 
Algorithm 4.1 (Deuring's Correspondence). 

INPUT: A prime number p. 



2 We actually can suppose p > 29. See 14.71 . 
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OUTPUT: A list of t p elements of the form (jo, {1, ei(jo), £2 (jo), e 3(io)}), where 
the first coordinate runs over all supersingular j-invariants of F p , and the second 
coordinate is a Z-generating set for the lattice corresponding to the maximal 
order End— (E(j )) of Q 

OO, p ■ 

1. Compute all reduced ternary quadratic forms of discriminant —p. 
Put: 3QF ={A,..., /*}. 

2. Compute all different types of maximal orders in Qoo,p- 

Put: QO = {£>!,..., t }. " ' _ 

3. Compute all the j-invariants of supersingular elliptic curves over F p . 
Put: Lj = {ji, . . .,j 2t -h,32t-h+i, ■ ■ ■ , jt}- 

4. Compute h' integers, which will enable us to classify the endomorphism rings. 
Put: A = {l\,...,lh>}- 

Compute all possible pairs (tr(a),nr(a)) with a in any of the maximal orders of QO, 
such that nr(a) = I for some £ € A. So in this way, we will have for i = 1, . . . , t: 

SPLj = {(tr(a),nr(aj) |aGO, and nr(a) = I for some I E A}. 

Put: SPL = {SPLi,...,SPL t }. 

5. Construct all the separable isogenies of degree ti for every i = 1, ...,h' on every 
supersingular elliptic curve E(j) with j e Lj and for every one collect the pair 
(tr, deg). In this way, we obtain a similar list to the one of the previous step, but on 
the side of elliptic curves, namely: 

Isog(S(j)) = {(£r(Ai),de 5 (Ai)), . . . , (tr(\ k(td) ),deg(\ k{i ^))}. 



Put: Isog = {Isog(^O'i)). ■ ■ ■ - Isog(£(j t ))}. 

6. Find the permutation a of {1,... ,t}, such that Isog(i?(ji)) and SPL^j) are equal 
as finite subsets of Z 2 . 

7. Return: {(£(ji), CT i) , ■ • • , (E(j t ), O at )}. 

Let us clarify the algorithm (|4.1|l step by step. 

Step 1,2. The first two steps were already done in J2J). 

Step 3. A beautiful section of the famous paper 0] is exactly the computa- 
tion of equations for the j-invariants of the "elliptic function fields" which do not 
posses cyclic p-extensions (see the equivalences in Ijl.ip ). After studying first the 
case p = 2, he writes explicit formulas for an invariant (denoted A by Hasse) which 
detects whether an elliptic function field has cyclic p-extensions or not, just by 
checking if A is different or equal to 0, respectively. A will be just a polynomial 
on the j-invariant of the elliptic function field with coefficients depending only on 
p. We know further that all j-invariants of supersingular elliptic curves are defined 
in F p 2, and then the polynomial A = A(j) splits over F p with factors of degree at 
most 2. So we can easily compute it's roots, obtaining in this way all supersingular 
j-invariants in characteristic p. Finally, we put in Lj the roots of A defined over 
the prime field, plus one root of each of it's quadratic factors. Since A is of degree 
h, and there are 2t — h roots in the prime field, Lj has length t equal to the number 
of reduced ternary quadratic forms of discriminant —p. 
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Step 4. This is the crucial part of the algorithm. We base the proof of this 
step on an interesting theorem on ternary quadratic forms. Let /, g be ternary 
positive definite quadratic forms. Then we define / ~ g <^> 3T £ GL n (Z) such that 
/(Tx) = <?(x), and call them integral equivalent. For any such form /, we define 
the representation numbers r(/, £) as 

r(f,£) :=#{x£Z 3 :/(x)=!}. 

By the main result of |15| : the Theta-series of the ternary quadratic forms determine 
their classes. More precisely: 

Theorem 4.2. |15j Given two ternary quadratic forms f and g of discriminant d, 
there exists a bound b(f) such that the following holds: 

r(f,£)=r(g,£) Vt<b(f) =► /-<?; 

withb(f) = min{-l/UN 1 + l8/7N 2 + N 3 ,3/2N 1 -5/6N 2 + l7/6N 3 ,13/5N 1 + N 2 + 
N%, 7/2N3} and the Ni 's the successive minima of f. 

So, the representation numbers classify the classes of ternary quadratic forms. 
Before we use this theorem we prove this: 

Lemma 4.3. Let p be any prime and f any reduced ternary quadratic form. By the 
Brandt-Sohn correspondence, f has associated a maximal order 0m in Qoo,p- Then 
the form (tr 2 — Anr) \o if) — _L q(f), with q(f) positive definite and 3- dimensional. 

Proof. Follows by straightforward computation using the formulas 1)2. 3|1 . We just 
write here the resulting matrix of q(f): 

°23 ~ 4a 22 a33 2ai 2 a 33 - ai 3 a 2 3 2ai 3 a 22 - ai 2 a 23 \ 
2ai 2 a 33 - ai 3 a 23 af 3 - 4aiia 33 2ana 23 - ai 2 ai 3 
2ai 3 a 22 - ai 2 a 23 2ana 23 - ai 2 ai 3 af 2 - 4ana 22 / 

□ 

Definition 4.4. Let O be an order in Qoo,p- Define: 

T b (0) := {(tr(a),nr(a)) G 1? \ a £ O and nr(a) < b}. 

We now study the sets of the definition above for the orders Of associated to 
any ternary quadratic form / as in (|2.H> by stating our key: 

Proposition 4.5. Let . . . , ft] be a set of representatives of reduced ternary 
quadratic forms. Then the sets r^O/J C 1? for i = l,...,t are all different, 
Namely, these subsets characterize uniquely the types of maximal orders in Qoo.p 
and b = 0(p). 

Proof. Let f\ and / 2 be any two different ternary quadratic forms of discriminant 
—p. Then we set qi :— (tr 2 — Anr) \o f .\i — 1,2. From (|4.3|l we have qi = _L 
q~i{i = 1,2), with qi 3-dimensional. Applying the result of (|4.2(l to f\ and / 2 , 
we see that these two ternary quadratic forms are equivalent iff they have the 
same representation numbers, hence beeing the two corresponding orders of the 
same type. In sum, for f\ f 2 there exists a bound bi 2 , such that for some 
t < b±2',r(fi,£) r(f 2 ,£). Hence, in particular, the finite sets r(, 12 (C/ 1 ) and 
Tb 12 (Of 2 ) must be different. Setting b := max{bij | i,j = the result 

follows directly from Ij4.2|l and Mahler- Weyl's bound 1)2. 4[l . which goes like 0(p). □ 
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After Q4.5|l there are, say, h! different norms: A := {£i, . . . ,£h'} which allow us to 
identify between all different maximal order types of Qoo.y More explicitly, define: 

SPL ; := {(tr(a),nr(a)) | a G O fi and nr(a) G A}. 

Then SPL; = SPLj ^ i = j, and this is what we mean by indentifying all different 
maximal orders. 

Remark 4.6. For the concrete implementation of the construction of A, we actually 
have to "weight" the ^'s which identify different orders. The point is that the 
number of different subgroups of a given order £ of the elliptic curve depends also 
on the number of it's factors. We prefer to get prime ts, then we would have 
to compute just I + 1 subgroups. Suppose for example I — 6. Then we have to 
compute 30 subgroups; instead for 1 = 1 there are just 8. For the table QJ, the 
set A of step 4 could be chosen always as a subset of {3, 5, 7}, therefore having to 
compute at most only 18 subgroups of each supersingular elliptic curve which can 
be made almost instantly. 

Step 5. 

First set i = 1, k = 1. 

We put £ := £i G A and also E := E(jk);jk G Lj (output of step 3), any 
elliptic curve with j-invariant jk- Search for the extension ¥ p 2d e (say of cardinal 
qe) over F p 2 produced by the points of order £ of E. Consider now G := E(¥ qe ), 
which will be a product of two cyclic groups of the same order n (see |14jV so 
that n 2 = 1 + qi — trg. We must find two generators Pi, Pi of G, so called echelon 
generators. Then with these two echelon generators, one can construct all subgroups 
of order I and the respective quotients as explained in (|3.2I) . For each quotient 
which is actually an endomorphism, we may check it's trace, just by looking at 
the respective possible traces given by the quadratic forms, and then put it in the 
formula <\> 2 — [tr ((/>)] + [£] = 0, and so we find also the traces. Obviously, we can 
compute them exactly, just by doing it on the Tate module, and we know to which 
level we should compute, just by the Hasse bound (but we practically avoided this 
way, as we have just explained). After all this, we have a list of the endomorphisms 
of the supersingular elliptic curve E with it's respective traces (the degrees are all 
£, clear). Append this pairs {tr,£) to Isog(-E). 

Before returning to the begining of the previous paragraph, if k = t stop, other- 
wise i = i + 1. If i > h! put i = l and k = k + 1. Return to the begining of the 
previous paragraph. 

Step 6. 

Once we computed Isog, what's left is only to search the only bijection 3 from 
Isom to SPL, which exists by Deuring's correspondence. This bijection give us the 
permutation a we are looking for, which so far means a correspondence between 
the supersingular elliptic curves and the reduced ternary quadratic forms. 

Step 7. With the permutation a and the Brandt-Sohn correspondence explained 
in (|2.1|l . we obtain the desired output. □ 



3 See ET71 . 
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Remark 4.7. We must also mention a fact which enables us also to simplify our 
previous algorithm; namely the automorphisms of the elliptic curves on the one 
side, and the automorphic transformations of the reduced ternary quadratic forms 
on the other. The number of these automorphic transformations is r of i|2.1[l . As 
one sees in the table the r invariants are 1,2,4 or 6 depending on well known 
facts on the j-invariants of the corresponding supersingular elliptic curves (see |lfl|V 
The "strange" case r = 1 occurs only when there are two different isomorphism- 
classes of supersingular elliptic curves with the same endomorphism ring (i.e. the 
supersingular j-invariant is not defined in the prime field). See |21l Theorem 4.5]. 

Therefore, in order to establish the correspondence, we can suppose p > 29 since 
in all previous cases either the type number was one or the different r's of the 
ternary quadratic forms were enough to decide the correspondence. 

Remark 4.8. About the complexity of this algorithm, we can only say, that since 
the bound of 14.2fl has order 0(p), it could (at least theoretically, and we guess 
only) happen, that the li 's of step 4 were all prime numbers smaller than p. Hence 
we should make 0(n(p)) extensions of F p 2, and for each find echelon generators of 
the rational points. So, without sharpening the growth of the bound in H4.2J1 we 
cannot expect to have a polynomial complexity. 

5. Table 

As an example of our algorithm we compute the correspondence between su- 
persingular j-invariants of characteristic p and reduced ternary quadratic forms of 
discriminant — p, for 29 < p < 97, resembling Dcuring's table 0] 257-258]. By 
the explicit Brandt-Sohn correspondence (|2.1(l one can directly compute the basis 
of the corresponding endomorphism rings with rational coefficients. We prescind 
from doing this to obtain a readable table. For every prime p we write in bold on 
each row, the supersingular j-invariants of characteristic p. Below each of these 
invariants we write the corresponding reduced ternary quadratic form in Seeber's 
notation (|2.2(l . 
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